Open GoogleCodeExporter opened 9 years ago
Morphium, could you tell me what OS you are running and which syslog server you
are using?
Also, how did you get the data you added to the issue, is it from your syslog
server or from a tool like wireshark? I'm interested in knowing what the
separating characters are. the [...]
Original comment by sherwin....@gmail.com
on 1 Aug 2011 at 4:23
Hi,
I'm using Server 2008 R2 on the eventlog-to-syslog - side.
On the server side, it's rsyslog (on gentoo).
We already tried different log formats, this one looks best (standard syslog
format).
The line I pasted is from the Server log itself, it looks like:
2011-07-31T22:29:15.791311+02:00 192.168.20.55 nto: SophosSAUWSM-TEST0
Arbeitsstation: XXXXXXXX Fehlercode: 0x0<29>Jul 31 22:30:16 XXXXXXXX xxxxxxxx:
Security-Auditing: 4648: Anmeldeversuch mit expliziten Anmeldeinformationen.
Antragsteller: Sicherheits-ID: S-1-5-18 Kontoname: XXXXXXXX$ Kontodomäne:
yyyyyyyyy Anmelde-ID: 0x3e7 Anmelde-GUID:
{00000000-0000-0000-0000-000000000000} Konto, dessen Anmeldeinformationen
verwendet wurden: Kontoname: SophosSAUWSM-TEST0 Kontodomäne: XXXXXXXX
Anmelde-GUID: {00000000-0000-0000-0000-000000000000} Zielserver:
Zielservername: localhost Weitere Informationen: localhost
Prozessinformationen: Prozess-ID: 0xd9c Prozessname:
C:\Windows\Temp\sophos_autoupdate1.dir\ALUpdate.exe Netzwerkinformationen:
Netzwerkadresse: - Port: - Dieses Ereignis wird bei einem Anmeldeversuch durch
einen Prozess generiert, wenn ausdrücklich die Anmeldeinformationen des Kontos
angegeben werden. Dies ist normalerweise der Fall in Batch-Konfigurationen, z.
B. bei geplanten Aufgaben oder wenn der Befehl "runas" verwendet wird.<29>Jul
31 22:30:16 XXXXXXXX xxxxxxxx: Security-Auditing: 4624: Ein Konto wurde
erfolgreich angemeldet. Antragsteller: Sicherheits-ID: S-1-5-18 Kontoname:
XXXXXXXX$ Kontodomäne: yyyyyyyyy Anmelde-ID: 0x3e7 Anmeldetyp: 5 Neue
Anmeldung: Sicherheits-ID: S-1-5-21-3405417-2020991102-1438646732-1000
Kontoname: SophosSAUWSM-TEST0 Kontodomäne: XXXXXXXX Anmelde-ID: 0x1bac21fb
Anmelde-GUID: {00000000-0000-0000-0000-000000000000} Prozessinformationen:
Prozess-ID: 0xd9c Prozessname:
C:\Windows\Temp\sophos_autoupdate1.dir\ALUpdate.exe Netzwerkinformationen:
Arbeitsstationsname: XXXXXXXX Quellnetzwerkadresse: - Quellport: - Detaillierte
Authentifizierungsinformationen: Anmeldeprozess: Advapi
Authentifizierungspaket: Negotiate Übertragene Dienste: - Paketname (nur
NTLM): - Schlüssellänge: 0 Dieses Ereignis wird beim Erstellen einer
Anmeldesitzung generiert. Es wird auf dem Computer generiert, auf den
zugegriffen wurde. Die Antragstellerfelder geben das Konto auf dem lokalen
System an, von dem die Anmeldung angefordert▒#▒▒XO<29>Jul 31 22:30
It looks like you're using some multiline feature, so thats why I wrote I would
like to receive one Event per line :)
Thanks for your time!
morphium
Original comment by theodor....@gmail.com
on 1 Aug 2011 at 6:15
Sorry for the delay. I recently rebuilt my system and have not gotten my test
VMs back on this machine yet. If possible could you conduct a test using Kiwi
Syslog Server. It's free and it's what I used to test it originally. Also, if
you have wireshark available do a capture and see what is actually coming
across the wire.
I did a check of the code and there is nothing unusual going on there. Each
event should get its own packet unless Windows is doing some caching (which I
highly doubt). I know when I tested it it worked as expected. If you don't have
the ability to do the testing right now I will get my environment set up this
weekend and check.
Original comment by sherwin....@gmail.com
on 4 Aug 2011 at 6:01
I use syslog-ng and I am getting the same results
Original comment by james.ki...@gmail.com
on 7 Nov 2011 at 8:21
I don't really think this is related, but is your syslog server set to
expect UTF-8 messages?
-Sherwin
On Nov 7, 2011, at 3:22 PM, "eventlog-to-syslog@googlecode.com"
<eventlog-to-syslog@googlecode.com> wrote:
Original comment by sherwin....@gmail.com
on 7 Nov 2011 at 10:42
Here is an output from tcpdump (2 packets). It looks to me like it is combining
events in a single packet and seems to be using <29> or <27> to separate events.
Is this the expected behavior?
07:19:51.715860 IP jimmykang.hartlee.lan.57647 > nagios.hartlee.lan.5514: Flags
[P.], seq 1:201, ack 1, win 46, options [nop,nop,TS val 33470222 ecr
123772576], length 200
E.....@.@.0.
..8
..4./...vz ..g.....qx.....
.....`..<29>Nov 8 10:03:08 SERVER2 Eventlog to Syslog Service Started: Version
4.4 (64-bit)<29>Nov 8 10:03:08 SERVER2 Flags: LogLevel=0, IncludeOnly=False,
EnableTcp=True, IncludeTag=False, StatusInterval=0
07:19:51.715906 IP nagios.hartlee.lan.5514 > jimmykang.hartlee.lan.57647: Flags
[.], ack 201, win 972, options [nop,nop,TS val 123772577 ecr 33470222], length 0
E..4.^@.@..i
..4
..8.../..g..vz.....<#.....
.`......
07:20:41.765883 IP jimmykang.hartlee.lan.57647 > nagios.hartlee.lan.5514: Flags
[P.], seq 201:697, ack 1, win 46, options [nop,nop,TS val 33475330 ecr
123772577], length 496
E..$..@.@./.
..8
..4./...vz...g............
.....`..<27>Nov 8 10:03:55 SERVER2 Security-Auditing: 4957: Windows Firewall
did not apply the following rule: Rule Information: ID: CoreNet-IPHTTPS-In
Name: Core Networking - IPHTTPS (TCP-In) Error Information: Reason: Local Port
resolved to an empty set.<27>Nov 8 10:03:55 SERVER2 Security-Auditing: 4957:
Windows Firewall did not apply the following rule: Rule Information: ID:
CoreNet-Teredo-In Name: Core Networking - Teredo (UDP-In) Error Information:
Reason: Local Port resolved to an empty set.
Original comment by james.ki...@gmail.com
on 8 Nov 2011 at 4:26
I also just verified that this only happens in TCP mode. There is no problem in
udp mode.
Original comment by james.ki...@gmail.com
on 8 Nov 2011 at 5:15
I think I have an idea of the cause. I will take a look. The <##> you
see is the start of each syslog message.
-Sherwin
On Nov 8, 2011, at 12:16 PM, "eventlog-to-syslog@googlecode.com"
<eventlog-to-syslog@googlecode.com> wrote:
Original comment by sherwin....@gmail.com
on 8 Nov 2011 at 6:19
Original issue reported on code.google.com by
theodor....@gmail.com
on 27 Jul 2011 at 12:56